New Secret Detectors

GitHub's secret scanning service now detects 28 new secret types from 15 providers, significantly expanding coverage of third-party integrations. Notable additions include:

• Vercel: 6 new detectors covering API keys, refresh tokens, and integration access tokens
• Snowflake: PostgreSQL connection string detection and credentials
• Supabase: Personal access tokens and secret keys
• Lark: Multiple detectors for app credentials and session tokens
• Additional providers: Azure, Baidu, Fieldguide, Figma, Flickr, Langchain, Limbar, PostHog, Proof, Weatherstack, and WSO2

Push Protection Enabled by Default

39 existing secret detectors now have push protection enabled by default, automatically blocking commits containing detected secrets in repositories with secret scanning enabled. This includes high-impact providers:

• AWS, Databricks, Heroku, Shopify
• Datadog, Fastly, Mapbox, Pinecone, Raycast
• Netflix, Paddle, and dozens more

Developers can still customize push protection settings on a per-detector basis.

Enhanced Validation Capabilities

The update adds validity checking for 5 secret types, allowing GitHub to automatically verify whether a detected secret is still active. This helps teams focus remediation efforts on compromised credentials:

• Airtable personal access tokens
• DeepSeek API keys
• npm access tokens
• Pinecone API keys and environment variables
• Sentry personal tokens

All updates are available to GitHub secret scanning customers. Partner secrets are automatically reported to the respective service providers when discovered in public repositories through GitHub's partnership program.